During the group creation process in Buddypress it's possible to
inject javascript code into the name field in the form at
http://example.com/groups/create/step/group-details/Â as for instance:
name" onmouseover="alert('xss').

To test this vulnerability you have reproduce the following steps:

1) create a group named as follows: name" onmouseover="alert('xss')
2) visiting this
url:http://example.com/groups/create/step/group-details/Â causes the
alert to show on mouse over the group name field